Trigger the alert of "Auditing Turned Off" in detection policy

book

Article ID: 171431

calendar_today

Updated On:

Products

Data Center Security Server

Issue/Introduction

You need to trigger the alert of "Auditing Turned Off" in detection policy in Data Center Security Server Advanced.

Resolution

Changing the "Audit policy change" parameter in Security Policy is triggering Events on Windows 2003 but is not triggering Events on Windows 2008 and higher, and according to the analysis results this is expected behavior.

Unlike previous versions of Windows (ex. NT 4, 2000, 2003), it appears that the Windows Auditing subsystem cannot be turned off in Windows 2008. Previous versions of Windows had auditing disabled by default, but it appears that Windows 2008 has auditing enabled at all times This is further reinforced by the fact that the built in Windows utility "auditpol.exe", no longer supports the "/disable" command line option.

Merely turning "off" all of the auditing subcategories does not equal "turning off" the Auditing subsystem and the SCSP Audit collector catches these cases when the appropriate rules are enabled. Based on these observations, it appears that our "Disable Auditing" test case is not valid for Windows 2008 and the Audit Collector seems to be working as expected.

According to the above the Software Engineering Team is planning to remove this option from the Policy Configuration in order to avoid future confusions.